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WHAT IS CLAIMED IS: 

1 . A public key authorization infrastructure comprising: 
a client program accessible by a user; 
5 an application program; 

a certificate authority issuing a long-term public key identity certificate 
(long-term certificate) that binds a public key of the user to long-term 
identification information related to the user; 

a directory for storing short-term authorization information related to the 
10 user; and \ 

a credentials server for issuing a short-term public key credential 
certificate (short-term certificate) to the client, the short-term certificate binds 
the public key of the user to the long-term identification information related to 
the user from the longvterm certificate and to the short-term authorization 
15 information related to the user from the directory, wherein the client program 
presents the short-term Certificate to the application program for authorization 
and demonstrates that the user has knowledge of a private key corresponding to 
the public key in the shori-term certificate. 

20 2. The public key authorization infrastructure of claim 1 wherein the short- 
term certificate includes an expiration date/time. 

3. The public key authorization infrastructure of claim 2 wherein a validity 
period from when the credentials server issues the short-term certificate to the 

25 expiration date/time is sufficiently short such that the short-term certificate does 
not need to be subject to revocation. 

4. The public key authorization infrastructure of claim 2 further comprising: 
includes a certificate revocation list (CRL), wherein the expiration 

30 date/time of the short-term certificate is no later than a date/time at which a next 
CRL is scheduled. \ 
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5. The public %y authorization infrastructure of claim 2 wherein the short- 
term certificate is ndt subject to revocation. 

6. The public kev authorization infrastructure of claim 1 wherein the short- 
term certificate is a non-structured short-term certificate. 
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7. The public key authorization infrastructure of claim 1 further comprising: 
a second application program; and 
10 wherein the short-?erm certificate is a structured short-term certificate 

including: 

a first folddr corresponding to the first named application program 

and containing long-term information and short-term information as 

required by the first; named application program; 
15 a second foMer corresponding to the second application program 

and containing longt-term information and short-term information as 

required by the seccmd application; 

wherein the Jirst folder is open and the second folder is closed 

when the client prese nts the short-term certificate to the first named 
20 application program x>r authorization, wherein closing the second folder 

makes its contents net readable by the first named application program; 

and 

wherein the first folder is closed and the second folder is open 
when the client prese its the short-term certificate to the second 
25 application program fpr authorization, wherein closing the first folder 

makes its contents not readable by the second application program. 



8. The public key authorisation infrastructure of claim 1 wherein the short- 
term certificate is an X.509v3 certificate. 
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9. The public key authorization infrastructure of claim 7 wherein the first 
folder and the second foldei/are implemented as extension fields of an X.509v3 
certificate. 



5 10. The public key authorization infrastructure of claim 1 wherein the 
directory further stores the issued long-term certificate. 
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1 1 . The public key aiithorization infrastructure of claim 1 wherein the private 
key is stored in a smartcard accessible by the client program. 

12. The public key authorization infrastructure of claim 1 wherein the private 
key is stored in a secure software wallet accessible by the client program. 

13. A method of Authorizing a user, the method comprising the steps of: 
issuing a long-term public key identity certificate (long-term certificate) 

that binds a public l/ey of the user to long-term identification information related 
to the user; 

storing shojh-term authorization information related to the user; 
issuing a sfHort-term public key credential certificate (short-term 
certificate) that binds the public key of the user to the long-term identification 
information related to the user contained in the long-term certificate and to the 
short-term authorization information related to the user; and 

presenting the short-term certificate on behalf of the user to an 
application program for authorization and demonstrating that the user has 
knowledge of/a private key corresponding to the public key in the short-term 
certificate. 

1 4. The : nethod of claim 1 3 wherein the short-term certificate includes an 
expiration d ite/time. 
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15. The method of claim 14 wherein a validity period from when the short- 
term certificate is issued to the expiration date/time is sufficiently short such that 
the short-term certificate does not need to be subject to revocation. 

16. The method of claim 14 further comprising the step of: 
maintainmg a certificate revocation list (CRL), wherein the expiration 

date/time of the snort-term certificate is no later than a time at which the next 
CRL is scheduled.; 

17. The method pf claim 14 wherein the short-term certificate is not subject 
to revocation. 1 

18. The method ojf claim 13 wherein the short-term certificate is a non- 
structured short-term certificate. 

19. The method ofl claim 13 wherein the short-term certificate is a structured 
short-term certificate including a first folder corresponding to the first named 
application program ana containing long-term information and short-term 
information as requiredlby the first named application program, and including a 
second folder corresponding to a second application program and containing 
long-term information and short-term information as required by the second 
application, wherein thelmethod further comprises the steps of: 

closing the second folder and leaving the first folder open prior to 
the presenting stdp if the presenting step presents the short-term 
certificate to the first named application program for authorization, 
wherein closing the second folder makes its contents not readable by the 
first named application program; and 

closing the first folder and leaving the second folder open prior to 
the presenting sten if the presenting step presents the short-term 
certificate to the sebond application program for authorization, wherein 
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closing the first folder makes its contents not readable by the second 
application program. 

20. The method pf claim 13 wherein the short-term certificate is an X.509v3 
certificate. \ 

'21. The method of claim 19 wherein the first folder and the second folder are 
implemented as extension fields of an X.509v3 certificate. 

22. The method of dlaim 13 wherein the method further comprises the step 
of: 1 

storing the issued long-term certificate in a directory. 

23. The method of claim 13 further comprising the step of: 
storing the private key in a smartcard. 

24. The method of claim 13 further comprising the step of: 
storing the privatelkey in a secure software wallet. 
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